Adobe patches Reader bugs, releases new JavaScript feature

Adobe on Tuesday shipped quarterly fixes for its flagship Reader and Acrobat software running on Windows and Macintosh.

The update addresses six "critical" flaws, including two vulnerabilities that were emergency patched last month in Reader and Acrobat versions 9. The release addresses a total of six flaws and updates users to version 10.1.2 and, if they are unable to upgrade to Reader/Acrobat X, version 9.5.

The holes plugged by Tuesday's release can be exploited by attackers to crash or take control of a targeted system.

The releases also include new functionality that decides whether JavaScript can be executed in PDF documents based on privileged locations, which are single files, folders, or host domains that are considered trustworthy by the administrator.

In a blog post on Tuesday, Adobe explained the change.

"Adobe Reader and Acrobat allow administrators to disable the execution of JavaScript embedded in PDF files, a potential attack vector for exploits," wrote Steve Gottwals, a group product manager, and Priyank Choudhurty, a security researcher. "While doing so provides mitigation against JavaScript-based vulnerabilities, it also breaks PDF-based solution workflows that rely on forms and JavaScript."